eda86fe5e6c5fd67ca253a3b0a16d4901c283a7ca4bd656c45cb13f206e38ff4

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe
Size

408KB
MD5

47b91a76cea3bac8a066cc7e8ebdd915
SHA1

e5bd8638ca8b8de9ca4f24d690bb6615611ddecf
SHA256

eda86fe5e6c5fd67ca253a3b0a16d4901c283a7ca4bd656c45cb13f206e38ff4
SHA512

3bac52ac9f176c4659c56319323a651d41ed8a36944f9cafb115267f461265909ad5c1ee8db09ce65bab58ac39c2878d6e2d22870caf0f26dc827c32adfc421a
SSDEEP

3072:CEGh0o6l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGgldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000d0000000230d9-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023324-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001db31-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023338-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023338-20.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e2cf-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002349c-28.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000234af-32.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000230e0-36.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000234a4-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000235d4-44.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4218E2E2-BC78-4e7a-AA56-625981309F14}\stubpath = "C:\\Windows\\{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe"	{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}	{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE8CB648-7978-4d21-8230-AC0FB4FD808A}	{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43C955BC-593A-445e-B763-0C14CC9C46D7}\stubpath = "C:\\Windows\\{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe"	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54462F10-4ED1-4f6b-88CE-18A8A2AF7878}	{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D402DFB-8122-41e3-8590-FFECE0213CA6}\stubpath = "C:\\Windows\\{1D402DFB-8122-41e3-8590-FFECE0213CA6}.exe"	{54462F10-4ED1-4f6b-88CE-18A8A2AF7878}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54462F10-4ED1-4f6b-88CE-18A8A2AF7878}\stubpath = "C:\\Windows\\{54462F10-4ED1-4f6b-88CE-18A8A2AF7878}.exe"	{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00DB996D-AB35-40f4-B568-3D8136759ADD}	{1D402DFB-8122-41e3-8590-FFECE0213CA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00DB996D-AB35-40f4-B568-3D8136759ADD}\stubpath = "C:\\Windows\\{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe"	{1D402DFB-8122-41e3-8590-FFECE0213CA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}\stubpath = "C:\\Windows\\{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe"	{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE8CB648-7978-4d21-8230-AC0FB4FD808A}\stubpath = "C:\\Windows\\{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe"	{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43C955BC-593A-445e-B763-0C14CC9C46D7}	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4DE2C25-51C4-4378-98CD-3AF671C40180}	{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4DE2C25-51C4-4378-98CD-3AF671C40180}\stubpath = "C:\\Windows\\{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe"	{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1B34766-64F5-435a-A5A0-6BAB10E79671}	{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1B34766-64F5-435a-A5A0-6BAB10E79671}\stubpath = "C:\\Windows\\{E1B34766-64F5-435a-A5A0-6BAB10E79671}.exe"	{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3BE0600-E63C-44f5-A326-B1881A160D39}	{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3BE0600-E63C-44f5-A326-B1881A160D39}\stubpath = "C:\\Windows\\{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe"	{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D402DFB-8122-41e3-8590-FFECE0213CA6}	{54462F10-4ED1-4f6b-88CE-18A8A2AF7878}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}	{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4218E2E2-BC78-4e7a-AA56-625981309F14}	{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}	{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}\stubpath = "C:\\Windows\\{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe"	{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}\stubpath = "C:\\Windows\\{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe"	{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe

Executes dropped EXE 11 IoCs

pid	Process
964	{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe
4072	{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe
2604	{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe
3188	{54462F10-4ED1-4f6b-88CE-18A8A2AF7878}.exe
2932	{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe
2084	{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe
4072	{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe
2300	{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe
3368	{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe
4392	{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe
4608	{E1B34766-64F5-435a-A5A0-6BAB10E79671}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe	{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe
File created	C:\Windows\{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe	{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe
File created	C:\Windows\{54462F10-4ED1-4f6b-88CE-18A8A2AF7878}.exe	{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe
File created	C:\Windows\{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe	{1D402DFB-8122-41e3-8590-FFECE0213CA6}.exe
File created	C:\Windows\{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe
File created	C:\Windows\{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe	{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe
File created	C:\Windows\{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe	{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe
File created	C:\Windows\{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe	{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe
File created	C:\Windows\{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe	{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe
File created	C:\Windows\{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe	{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe
File created	C:\Windows\{E1B34766-64F5-435a-A5A0-6BAB10E79671}.exe	{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1800	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe
Token: SeIncBasePriorityPrivilege	964	{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe
Token: SeIncBasePriorityPrivilege	4072	{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe
Token: SeIncBasePriorityPrivilege	2604	{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe
Token: SeIncBasePriorityPrivilege	4548	{1D402DFB-8122-41e3-8590-FFECE0213CA6}.exe
Token: SeIncBasePriorityPrivilege	2932	{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe
Token: SeIncBasePriorityPrivilege	2084	{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe
Token: SeIncBasePriorityPrivilege	4072	{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe
Token: SeIncBasePriorityPrivilege	2300	{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe
Token: SeIncBasePriorityPrivilege	3368	{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe
Token: SeIncBasePriorityPrivilege	4392	{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 964	1800	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	103
PID 1800 wrote to memory of 964	1800	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	103
PID 1800 wrote to memory of 964	1800	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	103
PID 1800 wrote to memory of 4420	1800	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	104
PID 1800 wrote to memory of 4420	1800	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	104
PID 1800 wrote to memory of 4420	1800	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	104
PID 964 wrote to memory of 4072	964	{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe	108
PID 964 wrote to memory of 4072	964	{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe	108
PID 964 wrote to memory of 4072	964	{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe	108
PID 964 wrote to memory of 944	964	{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe	109
PID 964 wrote to memory of 944	964	{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe	109
PID 964 wrote to memory of 944	964	{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe	109
PID 4072 wrote to memory of 2604	4072	{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe	111
PID 4072 wrote to memory of 2604	4072	{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe	111
PID 4072 wrote to memory of 2604	4072	{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe	111
PID 4072 wrote to memory of 4460	4072	{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe	112
PID 4072 wrote to memory of 4460	4072	{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe	112
PID 4072 wrote to memory of 4460	4072	{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe	112
PID 2604 wrote to memory of 3188	2604	{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe	117
PID 2604 wrote to memory of 3188	2604	{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe	117
PID 2604 wrote to memory of 3188	2604	{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe	117
PID 2604 wrote to memory of 3972	2604	{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe	118
PID 2604 wrote to memory of 3972	2604	{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe	118
PID 2604 wrote to memory of 3972	2604	{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe	118
PID 4548 wrote to memory of 2932	4548	{1D402DFB-8122-41e3-8590-FFECE0213CA6}.exe	122
PID 4548 wrote to memory of 2932	4548	{1D402DFB-8122-41e3-8590-FFECE0213CA6}.exe	122
PID 4548 wrote to memory of 2932	4548	{1D402DFB-8122-41e3-8590-FFECE0213CA6}.exe	122
PID 4548 wrote to memory of 4148	4548	{1D402DFB-8122-41e3-8590-FFECE0213CA6}.exe	123
PID 4548 wrote to memory of 4148	4548	{1D402DFB-8122-41e3-8590-FFECE0213CA6}.exe	123
PID 4548 wrote to memory of 4148	4548	{1D402DFB-8122-41e3-8590-FFECE0213CA6}.exe	123
PID 2932 wrote to memory of 2084	2932	{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe	124
PID 2932 wrote to memory of 2084	2932	{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe	124
PID 2932 wrote to memory of 2084	2932	{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe	124
PID 2932 wrote to memory of 4416	2932	{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe	125
PID 2932 wrote to memory of 4416	2932	{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe	125
PID 2932 wrote to memory of 4416	2932	{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe	125
PID 2084 wrote to memory of 4072	2084	{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe	126
PID 2084 wrote to memory of 4072	2084	{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe	126
PID 2084 wrote to memory of 4072	2084	{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe	126
PID 2084 wrote to memory of 1176	2084	{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe	127
PID 2084 wrote to memory of 1176	2084	{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe	127
PID 2084 wrote to memory of 1176	2084	{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe	127
PID 4072 wrote to memory of 2300	4072	{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe	132
PID 4072 wrote to memory of 2300	4072	{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe	132
PID 4072 wrote to memory of 2300	4072	{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe	132
PID 4072 wrote to memory of 4676	4072	{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe	133
PID 4072 wrote to memory of 4676	4072	{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe	133
PID 4072 wrote to memory of 4676	4072	{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe	133
PID 2300 wrote to memory of 3368	2300	{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe	137
PID 2300 wrote to memory of 3368	2300	{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe	137
PID 2300 wrote to memory of 3368	2300	{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe	137
PID 2300 wrote to memory of 2136	2300	{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe	138
PID 2300 wrote to memory of 2136	2300	{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe	138
PID 2300 wrote to memory of 2136	2300	{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe	138
PID 3368 wrote to memory of 4392	3368	{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe	139
PID 3368 wrote to memory of 4392	3368	{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe	139
PID 3368 wrote to memory of 4392	3368	{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe	139
PID 3368 wrote to memory of 4072	3368	{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe	140
PID 3368 wrote to memory of 4072	3368	{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe	140
PID 3368 wrote to memory of 4072	3368	{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe	140
PID 4392 wrote to memory of 4608	4392	{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe	144
PID 4392 wrote to memory of 4608	4392	{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe	144
PID 4392 wrote to memory of 4608	4392	{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe	144
PID 4392 wrote to memory of 3892	4392	{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe	145

C:\Users\Admin\AppData\Local\Temp\2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe
  C:\Windows\{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe
    C:\Windows\{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe
      C:\Windows\{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\{54462F10-4ED1-4f6b-88CE-18A8A2AF7878}.exe
        
        C:\Windows\{54462F10-4ED1-4f6b-88CE-18A8A2AF7878}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:3188
      - C:\Windows\{1D402DFB-8122-41e3-8590-FFECE0213CA6}.exe
        
        C:\Windows\{1D402DFB-8122-41e3-8590-FFECE0213CA6}.exe
        6⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe
        
        C:\Windows\{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe
        
        C:\Windows\{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe
        
        C:\Windows\{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe
        
        C:\Windows\{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe
        
        C:\Windows\{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe
        
        C:\Windows\{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\{E1B34766-64F5-435a-A5A0-6BAB10E79671}.exe
        
        C:\Windows\{E1B34766-64F5-435a-A5A0-6BAB10E79671}.exe
        13⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3BE0~1.EXE > nul
        13⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE8CB~1.EXE > nul
        12⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C58DB~1.EXE > nul
        11⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4218E~1.EXE > nul
        10⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA74D~1.EXE > nul
        9⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00DB9~1.EXE > nul
        8⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D402~1.EXE > nul
        7⤵
        
        PID:4148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54462~1.EXE > nul
        6⤵
        
        PID:2116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C875C~1.EXE > nul
        5⤵
        
        PID:3972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B4DE2~1.EXE > nul
      4⤵
      PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{43C95~1.EXE > nul
    3⤵
    PID:944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4448 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:8
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00DB996D-AB35-40f4-B568-3D8136759ADD}.exe

Filesize
408KB

MD5
7c4f3c26aad6cd31b6f9af49d29a372e

SHA1
64777e926ef2ed539670c514fb05ef2d21ee1580

SHA256
25579caebccb4c52c05e01cd4e038a5668aea30881a64e6026c64a877b5c2d60

SHA512
d3375c0f859fa5a906d26c73540a502e7839217e2ae09f6da0f89140b12680b6fc54cde93690270d069cc7d983f6081f1dfec686c86be70891995cdf41430a23

Download Submit
C:\Windows\{4218E2E2-BC78-4e7a-AA56-625981309F14}.exe

Filesize
408KB

MD5
17b9f768c5228a54c44c888b1affa9ac

SHA1
211bb7307fb7720bc8ec8085ff897993425cbb3f

SHA256
57b87e6fbd883dcdbdcc2feb9aa9b1090c2ffd1bdba3c326f22fb116884120cd

SHA512
438b3263a6975839a7a1538b6dda059a39ea662289f3a22ecf73d2d9597f68ffcca842348d06c55b6fd9617636570d42baea0ca152ff7e4156030c7665f22ba6

Download Submit
C:\Windows\{43C955BC-593A-445e-B763-0C14CC9C46D7}.exe

Filesize
408KB

MD5
b153ecd541f7a8ebc24c9afe363993b2

SHA1
2144591c9412502a0400161c1dea7b0974c5eafa

SHA256
68aee9d4501b7a1445dc44dc3cbedd21a73099719c4d2d992befad0d823f452c

SHA512
d2888017932866b84198fbcc1ef1f91b3e99751107d3a3a839444f64a1a93534f3b4a6d7cb2d13bf8755f93f9dc1caa2a9b8260a80d0a3eddefdbce1c58a490f

Download Submit
C:\Windows\{54462F10-4ED1-4f6b-88CE-18A8A2AF7878}.exe

Filesize
408KB

MD5
e168d3083fd08452e62c7d603d77a35d

SHA1
06274efd4c55ad08373b1982a9a8921f659ac20b

SHA256
492abef5d28aae607011ac7d943ab8d3d70eb9c4d4f3238d29c5b0014683de3c

SHA512
ee4d58fd944fdf703c2a3bcb2ac9f80999fa0eeecd22d823980317ce5c61a7916a7e8aca5d9c43aad4a74c3783da1af21d0d49b6e81a1b0686f2afaea050aca7

Download Submit
C:\Windows\{B4DE2C25-51C4-4378-98CD-3AF671C40180}.exe

Filesize
408KB

MD5
732edd4072ee17fd40eb11396458d956

SHA1
baa207f785762c5706856b8d34abfe4225be4ec8

SHA256
e5e0d5240abfb1e144507c0701eab47b8f73103b54b8328788ffd4b6c624be23

SHA512
e26b5997d79f15444c38c33758dac2cf3c810422e74e030b22bd32a44db732f3a41fcc6bc503e70dfc6349c2ca0c9e6b563a98ff21041c50fdc5f5d07db2bba5

Download Submit
C:\Windows\{BE8CB648-7978-4d21-8230-AC0FB4FD808A}.exe

Filesize
408KB

MD5
6e9985d7ad3b0dcac5b814fec3e05e5f

SHA1
2117f733cc08725f2ff3ff9f0a118855ac008194

SHA256
7cf9f0e958419bd2960feee3f43f82508f727b0449e936089546d418e924af25

SHA512
cee06656c5cefedb4a218d4f7bbe7c5595209d36ce5991b918ba8b358ba1e1a7e41950298944182554720b55682abede73f0c554109e69cee28e1a873844757c

Download Submit
C:\Windows\{C58DB1ED-09D2-4e49-B00C-7A62A8444EB6}.exe

Filesize
408KB

MD5
b2ad7aef7426eaa2e72bb2ee21a1ab17

SHA1
174b3b23e67b6da85a29dbff2706e264e3d3e5c1

SHA256
527d0e3db6b1a224feb29e122ad558eb9a51cdf17a39bb92b11a93a5e71d025a

SHA512
682f21161787571ff67aee26d5592a26501450fa3e695c84b3d3eb694230644215b2a0d96b6d467adc66fbcab1b440fd7f7c5712367d88e0d99a1ed29cd40883

Download Submit
C:\Windows\{C875C5E0-83DB-4dfa-822C-4D8CB747FE40}.exe

Filesize
408KB

MD5
dae10f05278f1c6f108a252bee514aa7

SHA1
99d4966ba66548d16a1b1a5a9a9bdd973600c87b

SHA256
546566e24bed8324119a553e0cb1a07f905712d437b7be03c5030dbb7a365c69

SHA512
3ce6d3ecef3e94e9677d0fa56ff5546321a52adcd804acb13e5cefdb3cbae8d9aa1319021965cd3104b512d95234940375f1fa35da6f9547e874362d1c5c05d9

Download Submit
C:\Windows\{E1B34766-64F5-435a-A5A0-6BAB10E79671}.exe

Filesize
408KB

MD5
a591933743b333218be9a598591cfd71

SHA1
3b530f5b89c7bad41cce47d44715d7b9df5de086

SHA256
b458eb5495df7cab269d91734572ad3aabb21eacc0a511f1b85ce4f95333eabf

SHA512
67117b07ee23235d3d1a03edab23f2a773f2d01fa40f05bd2ced65161727daf517e99565c7c24a4d22ec338f8a5b2065a03e5956923e8b56d194bbac7ef90219

Download Submit
C:\Windows\{F3BE0600-E63C-44f5-A326-B1881A160D39}.exe

Filesize
408KB

MD5
3a794c716f283a1a6cd9d0a70842c2d4

SHA1
66ca5f8108b988d4378d5ffda9f55bfc047e4f5b

SHA256
ddf3bab10068d7cc67bb6ee8c93fe5ba76fb0f9b0d886f2808cdc083941c5752

SHA512
1c66565b230908a244d68a96f67c8dcce9a29a9b3d6e2ab03f5d7a08cea9824fc063b88f7b3858598aa6807a8dbbb876aa15790de6611778d8f2f45c50cb8473

Download Submit
C:\Windows\{FA74D78E-D6DE-4d25-ADA1-A27C5E8332D3}.exe

Filesize
408KB

MD5
03443aa8e3c4fa2d23c0f820e53575ef

SHA1
84987ebb63f25a884f0445ec2a18942d45496eeb

SHA256
8d434cda6e205b9dcab882bd1d9f492fd8b2c725030423eae61ca031dc5e0316

SHA512
3a47d36418bb6e922f8f52c96c1fcab05da840265899f773fd4884977b3d97800c6d03b2715fca83d16848154b2382dbf94180d844511865cbfcb231a9f6759b

Download Submit
memory/3188-15-0x0000000003A60000-0x0000000003B3B000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads